The Security Admin has created a new keyring and new certificates in order to test a secured loopback transfer using System SSL with XCOM for z/OS. The transfer is failing with message XCOMM1510E System SSL: gsk_secure_socket_init:RC = 413: Reason = Certificate signature is incorrect

Release : 12.0

Component : XCOM Data Transport for z/OS

Per the IBM documentation: 

413 Certificate signature is incorrect.
Last Updated: 2023-06-28

Explanation
The certificate signature is not correct for a certificate received from the communication partner.

User response
Ensure that a valid certificate is being sent by the communication partner. Collect a System SSL trace containing a dump of the incorrect certificate and then contact your service representative if the error persists.

Capture a System SSL trace as indicated by the IBM message and have the Security Admin or IBM review it to find the problem with the certificate. The System SSL trace can be enabled by adding the following to the XCOM JCL:

//CEEOPTS DD *
ENVAR("GSK_TRACE=0x3F",
"GSK_TRACE_FILE=/tmp/gskssl.%.trc")
/*

The CEEOPTS DD statement is used to specify LE runtime options. The ENVAR option is used to set environment variables which System SSL will use during the run. Variable GSK_TRACE enables SystemSSL tracing and GSK_TRACE file specifies the name of the UNFORMATTED trace file which will be created by SystemSSL. The percent sign in the file name replaces to the numeric Unix process ID which creates the file. Value /tmp/gskssl.%.trc is the default and of course you may specify a different name if needed.

Once you have the unformatted SystemSSL trace file, you need to format it into readable statements using the 'gsktrace' utility. The command is:

gsktrace input_file > output_file